Medical Management Company Settles $100,000 HIPAA Violation Case

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $100,000 settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a prominent Massachusetts-based medical management company. This is the first ransomware agreement OCR has reached and this settlement comes in the aftermath of a major data breach resulting from a ransomware attack that compromised the electronic protected health information of a staggering 206,695 individuals.

Handling of Healthcare Data

HIPAA, a set of rules and regulations governing the handling of healthcare data, demands that healthcare entities adhere to stringent measures aimed at safeguarding the privacy and security of health information. The settlement sends a clear message about the importance of data security in the healthcare sector.

The breach report was initially filed by Doctors’ Management Services with HHS on April 22, 2019. It revealed that a ransomware attack, attributed to the GandCrab malware, had impacted approximately 206,695 individuals. The origins of the breach date back to April 1, 2017, when unauthorized access was gained to the company's network. However, it was only on December 24, 2018, that Doctors’ Management Services became aware of the intrusion, following the deployment of ransomware to encrypt their files. The OCR's subsequent investigation brought to light potential security lapses within the company.

OCR Director, Melanie Fontes Rainer, emphasized the increasing prevalence of ransomware attacks targeting the healthcare system, leaving both hospitals and patients vulnerable to data breaches. She stressed the need for healthcare institutions to proactively assess cybersecurity vulnerabilities and regularly review risks, records, and update policies.

In line with the settlement agreement, OCR will be closely monitoring Doctors’ Management Services for a period of three years to ensure compliance with HIPAA. Additionally, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan. This plan outlines the steps that Doctors’ Management Services will undertake to rectify potential violations of the HIPAA Privacy and Security Rules while enhancing the security of electronic protected health information (ePHI).

Key components of the corrective action plan include:

Risk Analysis: Doctors’ Management Services will review and update its risk analysis to identify potential risks and vulnerabilities to the company's data. This process aims to protect the confidentiality, integrity, and availability of electronic protected health information.

Risk Management Plan: An updated enterprise-wide Risk Management Plan will be established to address and mitigate any security risks and vulnerabilities identified during the updated risk analysis. This strategic plan will focus on protecting the confidentiality, integrity, and availability of ePHI.

Policy and Procedure Revisions: Doctors’ Management Services will review and revise, as necessary, its written policies and procedures to ensure compliance with the Privacy and Security Rules outlined in HIPAA.

Workforce Training: The company will provide workforce training on HIPAA policies and procedures, enhancing the overall awareness and understanding of data security measures among its employees.

The settlement and the associated corrective action plan underscore the vital role that regulatory authorities play in ensuring healthcare entities uphold the highest standards of data security. In an era where ransomware attacks are becoming increasingly prevalent, healthcare organizations must remain vigilant and proactive in identifying and addressing cybersecurity vulnerabilities to protect the confidentiality, integrity, and availability of electronic protected health information.

The settlement also serves as a stark reminder to healthcare institutions nationwide about the critical importance of robust data security measures in safeguarding patient information. In an age where electronic health records are integral to healthcare operations, the protection of sensitive health data is paramount.

OCR Recommendations to Mitigate or Prevent Cyber-threats

The OCR provided a series of recommendations to health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA:

• Thoroughly review all relationships with vendors and contractors to ensure the presence of appropriate business associate agreements that address breach and security incident obligations.
• Risk analysis and risk management should be integrated seamlessly into the core of business operations, consistently assessed and updated to align with the adoption of new technologies and the implementation of business strategies.
• Implement strong audit controls to thoroughly document and analyze activity within the information system.
• Continuously monitor and evaluate activity within the information system to guarantee ongoing security and compliance.
• It is imperative to implement multi-factor authentication to ensure that only authorized individuals have access to electronic protected health information (ePHI).
• Utilize encryption for ePHI to serve as a protective measure against unauthorized individuals accessing confidential health information.
• Incorporate the valuable lessons learned from previous incidents into the all-encompassing security management framework.
• Provide regular and tailored training sessions, highlighting the vital role that workforce members play in protecting privacy and security.